[Bf-codereview] Blender password text input (issue 6713044)
jiri.hnidek at gmail.com
jiri.hnidek at gmail.com
Mon Oct 22 14:11:24 CEST 2012
On 2012/10/16 14:07:44, jiri.hnidek wrote:
I was asked by Ton to add use cases and some security notes.
Use cases:
* This new subtype of string property is intended mostly for Add-on
developers writing Add-on which communicates with some server (http,
sql, ftp, verse, etc.). When this server requires user authentication
and user has to type username and password, then current API doesn't
allow to type 'hidden' password, e.g. when you want to demonstrate this
script, then everybody can see this security password. Some examples of
Add-on which could use this new subtype:
- On-line database of textures
- Integration of render farm
- Integration of Verse (Yes, I just try to write some Verse2 Add-on
:-))
Security Notes:
* You can copy paste string of property from text input using (Ctrl-C,
Ctrl-V), but you can do this in other GUI toolkits too (this behavior it
is widely used).
* Text of string property is stored in plain text, but it is widely
used. Look at other GUI toolkits. They don't try to solve this issue
too. Example of Qt documentation:
http://doc.qt.digia.com/3.3/qlineedit.html#EchoMode-enum
- Add-on developers expect string property in plain text.
- Look at this example using new subtype of string property:
https://dl.dropbox.com/u/369894/draw_op_passwd.py
- Add-on developer is responsible for sending password over network in
secure way, not Blender API.
- Each network protocol requires different password protection.
* Some evil Add-on can try to steal this plain text password, but it
would be complicated and useless to solve this issue, because Add-on
developers expect string property in plain text.
https://codereview.appspot.com/6713044/
More information about the Bf-codereview
mailing list